similar to: ldbsearch performance and tuning...

Mandi! Andrew Bartlett via samba In chel di` si favelave... > > I'm still on samba4.5, sorry me. > Fix that first. Eh... i hope on this year. > > I've done some (bash) scripting around ldbsearch, but i've found some > > performance and 'lock' trouble. > Correct, Samba before 4.7 has very poor unindexed search performance, > due to a bug.  OK.

On Wed, 29 Aug 2018 10:39:20 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote: > Mandi! Andrew Bartlett via samba > In chel di` si favelave... > > > > I'm still on samba4.5, sorry me. > > Fix that first. > > Eh... i hope on this year. From that, it looks like you mean later this year, I would update as soon as 4.9.0 comes out. > >

On Wed, 27 Mar 2019 13:00:42 +0100 Franta Hanzlík <franta at hanzlici.cz> wrote: > Yes, is no difference between '-UAdministrator' and '-U > Administrator'. But it seems, as ldbsearch in 4.9.5 is different than > 4.9.4-. (I was furious with that, because I found lot articles on > net, where -U _username_ was stated. > > My ldbsearch is from pure

Mandi! Rowland penny via samba In chel di` si favelave... > Who was this 'someone' ? [...] > Yes, stop listening to spurious people who have never done the upgrade and > follow our documentation ;-) I'm 'someone'! ;-) And, as you know, i've correctly migrated/merged 4 NT domains in an AD domain some year ago, following also hint from this list. ;-) > I

On Fri, 29 Mar 2019 09:28:37 +0100 Franta Hanzlík <franta at hanzlici.cz> wrote: > On Wed, 27 Mar 2019 13:11:08 +0000 > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > On Wed, 27 Mar 2019 13:00:42 +0100 > > Franta Hanzlík <franta at hanzlici.cz> wrote: > > > > > Yes, is no difference between '-UAdministrator' and

Mandi! Rowland penny via samba In chel di` si favelave... > If you go here: http://www.selfadsi.org/extended-ad/user-unlock.htm > It says: So, seems to me that 'Lockout-Duration' is an 'unused option'... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via

I need to do some testing, but before to hit by head on a known wall, i ask here. My AD domain get used (via PAM/Winbind) to give access to some other dervice, most notably here dovecot. When password expire (or users change it) the MUA try the old password some times, then ask for a new password; users cleraly get scared, press randomly 'OK' or 'Cancel', but if they press 2-3

Currently for my user: root at vdmsv1:/etc/exim4# ldbsearch -H ldap://vdcsv1 -P -b DC=ad,DC=fvg,DC=lnf,DC=it "(cn=gaio)" | grep ": gaio$" cn: gaio name: gaio sAMAccountName: gaio uid: gaio msSFU30Name: gaio what field is betetr to use for querying for user 'gaio'? 'uid' no (because RFC2307 data can be missing), so? 'sAMAccountName'? or

Mandi! Rowland penny via samba In chel di` si favelave... I came back on this, because still some glitches happen. Yesterday I'm locked out. 'pdbedit -vL gaio' say me that account IS locked. But: > yes, Provided you use the right attribute to search on ;-) > Something like this will give you if/when the account was locked out: > ldbsearch -H

Mandi! Andrew Bartlett via samba In chel di` si favelave... > It is an operational attribute. simply add  > msDS-UserPasswordExpiryTimeComputed > to the list of attributes requested when searching for the user. root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b "dc=ad,dc=fvg,dc=lnf,dc=it" -s base "" maxPwdAge # record 1 dn:

In my current ''production'' NT-like domain (samba 4.2, OpenLDAP backend), password policies seems to ''get written'' to user data. EG, if i set: pdbedit -P "maximum password age" -C 7776000 and i change my password, 'Password must change' have a meningful value, eg 90 days more then the last password change: root at armitage:~# pdbedit -v

Mandi! Rowland penny via samba In chel di` si favelave... > You cannot create an ldap filter using the above, you would have to filter > the result of the ldap search. I can confirm: root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b DC=ad,DC=fvg,DC=lnf,DC=it '(&(objectClass=user)(sAMAccountName=gaio))' msDS-User-Account-Control-Computed # record 1 dn:

Mandi! Rowland Penny via samba In chel di` si favelave... > Why do you need a list of users ? Because?! ;-) I've coded some script in the past (eg, when i was using OpenLDAP and samba in NT mode) that do something on the behalf of the users, ad i was used to do a 'getent passwd' to have the list. > effect when 5.0.0 came out. I cannot see any of then being marked as >

Mandi! Rowland Penny via samba In chel di` si favelave... > Whilst there are attributes that do not get replicated between DC's, > the majority are, so each DC should allow the same access. > Do you have access to the DC ? > Can you run the search locally ? Sure! As just stated, local access (via ldbsearch against the local SAM) works as expected: root at vdcpp1:~# ldbsearch

Er,there it is. I want to use samba to build a domain. I want to join computers into this domain. And I need to access this domain to get sid of computers in the domain, using C# class DirectoryEntry as 'ldap://my domain info' in my another program. ---- On Fri, 20 Apr 2018 01:27:54,"Rowland Penny via samba" <samba at lists.samba.org> wrote: >On Fri, 20 Apr 2018

Happy new year to all! Samba 4.9.17 on stretch, Louis package. On 22/12, at midnight, office closed, i suffered a network outgage that 'broke in two' my domain. On 23/12, at 14.00, network come back. After that, some scripts written around ldbsearch i run on DM (against vdcsv1 that is the DC with FSMO roles) start to complain: Failed to bind - LDAP client internal error:

Hai Marco, What i did mean. You can have 255 chars in total with these limitation's Windows NT 4.0, Windows 95, Windows 98, and LAN Manager : 20 = sAMAccountName Windows 2000 and up : 256 chars = sAMAccountName at alias.domain.tld ( full distinguished name ) The SAM-Account-Name attribute (also known as the pre?Windows 2000 user logon name) is limited to 256 characters in the Active

Mandi! Rowland penny via samba In chel di` si favelave... > yes, Provided you use the right attribute to search on ;-) Ah! ;-) Just i'm here, i test three condition in account flags, eg: UAC=$(ldbsearch ${LDB_OPTS} -b "${BASEDN}" "(&(objectClass=user)(sAMAccountName=$1))" userAccountControl | grep "^userAccountControl: " | cut -d ' ' -f 2-)

Mandi! Rowland penny via samba In chel di` si favelave... > You are authenticating to AD, so you need to use information that AD > understands, its dns domain (not an email domain) and the users name, or the > Netbios domain\username. But UPN is written 'domainful', eg 'username at ad.domain.name': root at vdcsv1:~# ldbsearch -H /var/lib/samba/private/sam.ldb -b

Mandi! Rowland Penny via samba In chel di` si favelave... > > No. Anyway, note that query return correctly 'result: 0 Success', > > simply return no data. > That just means the search retuned without error Eh. Query succeded and return no data. Yes. > If you run the command: > ldapsearch -H ldap://vdcpp1.ad.fvg.lnf.it -W -D >